netdev
[Top] [All Lists]

Re: missing icmp errors for udp packets

To: Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>
Subject: Re: missing icmp errors for udp packets
From: clemens <therapy@xxxxxxxxxxxxx>
Date: Tue, 31 Jul 2001 20:44:09 +0200
Cc: netdev@xxxxxxxxxxx
In-reply-to: <200107292220.CAA00332@xxxxxxxxxxxxxx>
References: <200107292220.CAA00332@xxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx
User-agent: Mutt/1.3.18i
On Mon, Jul 30, 2001 at 02:20:27AM +0400, Alexey Kuznetsov wrote:

> > does this somehow explain why this whole issue doesn't apply to the loopback
> > devices?
> 
> Ratelimit checks are simply skipped for it, they apply only to icmps,
> which are going to be sent to network.
> 
> Source of the problem was that icmp holds single variable for rate, but still
> pretends to allow setting different rates for different types of messages.
> Algo solves this assigning different costs to different types, but
> it breaks when costs are strongly different, so that low cost one (echo reply
> in this case) suppresses high cost (icmp errors) too strongly
> for some short time. nmap sends tight burst of udp messages (which is crazy
> anyway, icmp errors except for a few will be dropped in any case),
> after echo and all the icmp errors inevitably fall to this dead interval.

in some way this "pretending to be a feature" issue should be cleaned up.

consequently since there is only one token bucket, there can only be one
icmp rate limit. we can add a icmp type mask to enable/disable rate limiting 
for certain types. 
or we could add a bunch of token buckets to dst_entry, which would make the
whole thing overbloaed.
using lazy instantation would be the third option i could think of. change
rate_last+rate_token to a token bucket reference only used if needed.

in the latest case, one should discipline route.c to keep hands of
rate_token+rate_last.

clemens

<Prev in Thread] Current Thread [Next in Thread>